Bug 44176 - WebCore::createFragmentFromMarkup ReadAV@NULL
Summary: WebCore::createFragmentFromMarkup ReadAV@NULL
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows Vista
: P1 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-08-18 07:32 PDT by Berend-Jan Wever
Modified: 2010-09-29 12:10 PDT (History)
3 users (show)

See Also:


Attachments
Repro (227 bytes, text/html)
2010-08-18 07:32 PDT, Berend-Jan Wever
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Berend-Jan Wever 2010-08-18 07:32:32 PDT
Created attachment 64708 [details]
Repro

The following repro causes a NULL pointer crash in latest Chromium:
<body onload="
  document.designMode='on';
  document.execCommand('selectall');
  document.execCommand('InsertLineBreak');
  document.open();
  document.execCommand('Undo');
  document.execCommand('InsertHTML', false, 'x');
">
id:             WebCore::createFragmentFromMarkup ReadAV@NULL (0aeb58d38090b34986cfab3dd85965ec)
description:    Attempt to read from NULL pointer in WebCore::createFragmentFromMarkup
stack:          WebCore::createFragmentFromMarkup
                WebCore::executeInsertHTML
                WebCore::Editor::Command::execute
                WebCore::Document::execCommand
                WebCore::DocumentInternal::execCommandCallback
                v8::internal::HandleApiCallHelper<...>
                v8::internal::Builtin_HandleApiCall
                v8::internal::Invoke
                v8::internal::Execution::Call
                ...
Comment 1 Eric Seidel (no email) 2010-08-18 08:39:31 PDT
I suspect this is related to the document.close() bug. :)
Comment 2 Eric Seidel (no email) 2010-08-18 08:42:53 PDT
The document.close() bug is bug 43055.
Comment 3 Tony Gentilcore 2010-08-18 08:43:09 PDT
Yeah, it looks identical. Want to add this test case to your 43055 patch and then mark this as a dup?
Comment 4 Berend-Jan Wever 2010-09-29 12:10:28 PDT
This no longer crashes latest Chromium and the suspected duplicate was fixed, marking as fixed.